Ubuntu
ipsec-tools package

Overwriting proposal produces segfaults

Bug #1080658 reported by Oliver L. on 2012-11-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ipsec-tools (Ubuntu)	New	High	Unassigned

Bug Description

Hello,

not sure if this is security related, but: better safe than sorry....

If one overwrites a proposal in an inherited remote configuration, racoon produces a "double free corruption" like this:

===== SNIP ====== 8< =================

^C2012-11-19 12:34:31: INFO: caught signal 2
*** glibc detected *** racoon: double free or corruption (fasttop): 0x00007f59716cbc20 ***
*** glibc detected *** racoon: corrupted double-linked list: 0x00007f59716cbc90 ***

====== SNAP ======= >8 ==============

Which let's racoon crash and prevents it from exiting which causes the init script to wait forever. The only way to recover, is to kill it with SIGKILL.

A proposal overwrite looks like this:

==== SNAP ===== 8< ==================

remote 0.0.0.1
{
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        verify_identifier on;
        certificate_type x509 "host.cert.pem" "host.key.pem";
        ca_type x509 "host.cacert.pem";
        dpd_delay = 10;
        dpd_maxfail = 5;
        match_empty_cr off;
        ike_frag on;
        passive on;

        proposal
        {
                encryption_algorithm aes256;
                hash_algorithm sha1;
                dh_group 2;
                authentication_method rsasig;
        }
}
remote anonymous inherit 0.0.0.1
{
        nat_traversal on;
        generate_policy unique;
        mode_cfg off;

        proposal
        {
                authentication_method rsasig;
                encryption_algorithm aes256;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }

}

========= SNIP ========== >8 =============

Or it coredumps when exiting. The coredumps occur depending on what was changed in the remote section that is used for inheritance.

If you have further questions, feel free to contact me.

Thanks!

KR,

Oliver

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: racoon 1:0.8.0-9ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-33.52-generic 3.2.31
Uname: Linux 3.2.0-33-generic x86_64
ApportVersion: 2.0.1-0ubuntu15
Architecture: amd64
Date: Mon Nov 19 12:31:49 2012
InstallationMedia:

MarkForUpload: True
ProcEnviron:
LANGUAGE=en_US:en
TERM=screen
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ipsec-tools
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.racoon.racoon.conf: [modified]
modified.conffile..etc.racoon.racoon.tool.conf: [deleted]
mtime.conffile..etc.racoon.racoon.conf: 2012-11-19T12:29:18

Tags:

Revision history for this message

Oliver L. (grimeton) wrote on 2012-11-19:

Dependencies.txt Edit (1.6 KiB, text/plain; charset="utf-8")

Marc Deslauriers (mdeslaur) on 2012-11-23

information type:

Private Security → Public

Robie Basak (racb) on 2012-11-26

Changed in ipsec-tools (Ubuntu):
importance:	Undecided → High

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Dependencies.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuipsec-tools package